Presentation is loading. Please wait.

Presentation is loading. Please wait.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information."— Presentation transcript:

1 PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information Technology and Information Integrity

2 Copyright © 2004 South-Western. All rights reserved.8–2 Learning Objectives To explain why business organizations need to achieve an adequate level of internal control To explain the importance of internal control to organizational and IT governance, and business ethics To enumerate IT resources and explain how difficult it is to control them To describe management fraud, computer fraud, and computer abuse

3 Copyright © 2004 South-Western. All rights reserved.8–3 Learning Objectives To describe the major IT control processes organizations use to manage their IT resources To identify operations and information process control goals and categories of control plans

4 Copyright © 2004 South-Western. All rights reserved.8–4 Why Controls? To ensure attainment of objectives To lessen risks of unwanted outcomes  Heightened awareness of scandals  Impact of software and hardware on corporate governance  Management’s legal responsibilities  Highly publicized management and employee fraud

5 Copyright © 2004 South-Western. All rights reserved.8–5 Fraud and Control Fraud  Deliberate act or untruth intended to obtain unfair or unlawful gain. Management is charged with the responsibility to prevent and/or disclose fraud.  Control systems enable management to meet this responsibility.

6 Copyright © 2004 South-Western. All rights reserved.8–6 Internal Control A system of integrated elements—people, structure, processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals.  The internal control system is the responsibility of top management and therefore should:  Reflect management’s careful assessment of risks.  Be based on management’s evaluation of costs versus benefits.  Be built on management’s strong sense of business ethics and personal integrity.

7 Copyright © 2004 South-Western. All rights reserved.8–7 Ethics and Controls COSO report stresses ethics as part of control environment (tone at the top). Many corporations have developed a Code of Conduct.

8 Copyright © 2004 South-Western. All rights reserved.8–8 Business Process Control Goals and Plans Goals  Objectives to be obtained  Operations process  Information process Plans  Policies and procedures that assist in accomplishing control goals

9 Copyright © 2004 South-Western. All rights reserved.8–9 Effectiveness and Efficiency Effectiveness  A measure of individual or organizational success in meeting established goals. Efficiency  A measure of the productivity of resources applied to individual and organizational goals.

10 Copyright © 2004 South-Western. All rights reserved.8–10 Control Goals of Operations Process Effectiveness of operations  Ensure operations process is fulfilling its purpose  Satisfying critical success factors Efficient employment of resources  Prevent unnecessary waste of resources  Accomplish goals with a minimum deployment of resources Security of resources  Lock the door  Lock the computer door (access codes/passwords)

11 Copyright © 2004 South-Western. All rights reserved.8–11 Control Goals of the Information Process For transaction data (temporary)  Input validity (only approved/authorized data)  Input completeness (all valid data captured/entered)  Input accuracy (correct data entered correctly) For master data (permanent)  Update completeness (all data entered in updated master)  Update accuracy (data entered reflected accurately in updated master)

12 Copyright © 2004 South-Western. All rights reserved.8–12 Control Plans (space domain) Information processing policies and procedures that assist in accomplishing control goals  Control environment  Pervasive control plans  Process control plans

13 Copyright © 2004 South-Western. All rights reserved.8–13 FIGURE 8.1 The Control Environment Overall policies and procedures that demonstrate an organization’s commitment to the importance of control Pervasive Control Plans Address multiple goals and apply to many processes Process Control Plans Relate to specific business process or to the technology used to implement the process A Control Hierarchy Overall protection: Enhances the effectiveness of the pervasive and application control plans. Second level of protection: A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter. Third level of protection: Discussed and illustrated in Chapters 9–14. Corporate ethics; “Tone at the top” Access to systems; fidelity bonds. Edit checks; batch totals

14 Copyright © 2004 South-Western. All rights reserved.8–14 Control Plans: Other Classifications(time domain) Preventive Detective Corrective

15 Copyright © 2004 South-Western. All rights reserved.8–15 Information Technology Resources Data Application systems Technology Facilities People

16 Copyright © 2004 South-Western. All rights reserved.8–16 Four Broad IT Control Process Domains (from COBIT) FIGURE 8.2

17 Copyright © 2004 South-Western. All rights reserved.8–17 Ten Important IT Control Processes FIGURE 8.2

18 Copyright © 2004 South-Western. All rights reserved.8–18 IT Control Processes and Domains Planning and Organization  Process 1: Establish strategic vision  Process 2: Develop tactics to realize strategic vision Acquisition and Implementation  Process 3: Identify automated solutions  Process 4: Develop and acquire IT solutions  Process 5: Integrate IT solutions into operations  Process 6: Manage change to existing IT systems

19 Copyright © 2004 South-Western. All rights reserved.8–19 IT Control Processes and Domains (cont’d) Delivery and Support  Process 7: Deliver required IT services  Process 8: Ensure security and continuous service  Process 9: Provide support services Monitor operations

20 Copyright © 2004 South-Western. All rights reserved.8–20 Process 1: Elements of Strategic IT Plan Summary of the organization’s strategic goals and strategies and how they relate to the IT function. IT goals and strategies and how each will support the organization’s goals and strategies. Information architectural model  Corporate data model and the associated information systems

21 Copyright © 2004 South-Western. All rights reserved.8–21 Process 2: Organizational Control Plans Segregation of duties  Authorizing transactions  Executing transactions  Recording transactions  Safeguarding resulting resources Organizational plans for the information system function IT steering committee

22 Copyright © 2004 South-Western. All rights reserved.8–22 Illustration of Segregation of Duties TABLE 8.2a Function 1 Authorizing Events Approve steps of event processing. Function 2 Executing Events Physically move resources. Complete source documents. Function 3 Recording Events Record events in the appropriate data store(s). Post event summaries to the master data store. Function 4 Safeguarding Resources Resulting from Consummating Events Physically protect resources. Maintain accountability of physical resources.

23 Copyright © 2004 South-Western. All rights reserved.8–23 Illustration of Segregation of Duties (cont’d) TABLE 8.2b

24 Copyright © 2004 South-Western. All rights reserved.8–24 Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Process 4: Develop/Acquire IT Solutions Process 3: Identify Automated Solutions Develop solutions consistent the strategic IT plan

25 Copyright © 2004 South-Western. All rights reserved.8–25 Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Process 6: Manage Changes to Existing IT Systems Process 5: Integrate IT Solutions Into Operational Processes Develop solutions consistent the strategic IT plan

26 Copyright © 2004 South-Western. All rights reserved.8–26 Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs

27 Copyright © 2004 South-Western. All rights reserved.8–27 Illustration of Program Change Controls FIGURE 8.3

28 Copyright © 2004 South-Western. All rights reserved.8–28 Process 8: Ensure Security and Continuous Service Disaster recovery  Hot site (fully equipped)  Cold site (environmentally conditioned) Restrict Access  Physical access  Logical access

29 Copyright © 2004 South-Western. All rights reserved.8–29 Restricting Access to Computing Resources— Layers of Protection FIGURE 8.4a

30 Copyright © 2004 South-Western. All rights reserved.8–30 Restricting Access to Computing Resources— Layers of Protection (cont’d) FIGURE 8.4b

31 Copyright © 2004 South-Western. All rights reserved.8–31 Environmental Controls TABLE 8.5 Environmental hazardControls FireSmoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance Water damageWaterproof ceilings, walls, and floors, adequate drainage, water and moisture detection alarms, insurance Dust, coffee,Regular cleaning of rooms and equipment, dust- tea, soft drinks collecting rugs at entrances, separate dust- generating activities from computer, good housekeeping, prohibiting food and drinks within computing facilities Energy increase,Voltage regulators, backup batteries and decrease, lossgenerators, fiber optic networks

32 Copyright © 2004 South-Western. All rights reserved.8–32 Process 9: Provide Support Services Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes Gather data about processes Generate performance reports. WebTrust - ISP Process 10: Monitor Operations

Download ppt "PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
COBIT - II.

COBIT - II.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
The Information Systems Audit Process

The Information Systems Audit Process

Similar presentations

Ads by Google